Types of IPSec config

bh2o · August 26, 2023, 3:22am

Hi Rene,

In your course (Encor) you went through 3 types of IPSec tunnels, could you please verify if understanding is correct?
It seems like 2 and 3 are more handy hence used more often ?

1.Cisco IPsec Tunnel Mode Configuration:

define cryptomap (ISAKMP, Tranform-set, peer IP addressse of both ends of tunnel, ACL to match traffic to be encrypted )
apply cryptop map to interface of where the IP addresses of tunnel
define ACL to identify the source and destination traffic are to be encrypted
config routes to route traffic through IPSec tunnel
end result: all traffic that matches ACL are encrypted

2.Encrypted GRE Tunnel with IPSEC:

define cryptomap and apply to interfaces where GRE tunnels are built on
built GRE tunnel
define ACL to match all traffic through tunnel (to be encrypted)
end result: all traffic going through GRE is encrypted

IPSec Static Virtual Tunnel Interface:
- define crypto IPSec profile (isakmp, transform-set, )
- create tunnel interface and source/destination IPs, and apply crypto IPsec profile
- route traffic to tunnel

Thanks,
Sam

lagapidis · August 29, 2023, 7:11am

Hello Sam

Your understanding of the three methods by which IPsec can be applied appears to be correct. I just want to make the following clarification:

The IPsec Tunnel Mode option is a method that is used to encapsulate each IP packet into another IP packet and have it encrypted. Only the traffic matching the ACL will be encrypted. This method allows IPSec itself to create an entrypted tunnel.

The Encrypted GRE Tunnel with IPsec option uses a GRE tunnel, which by itself does not include encryption. In this case, you are applying only the encryption capabilities of IPsec to encrypt the traffic traversing the GRE tunnel.

Finally, the IPsec Static Virtual Tunnel Interface option is most similar to the IPsec Tunnel Mode at least as far as the encryption mechanisms applied. However, it is configured differently, especially as far as how to define traffic that will be encrypted.

Indeed the Encrypted GRE tunnel and IPsec VTIs are typically easier to configure and are more flexible in their application, so you see them used more often. They allow for more dynamic routing and multicast traffic, which is not possible with the tunnel mode configuration.

I hope this has been helpful!

Laz

bh2o · August 29, 2023, 7:49am

thanks , Is there a 4th or 5th way of configuring IPSec?

lagapidis · August 31, 2023, 6:16am

Hello Sam

It depends on what you mean. IPsec can also be used in a DMVPN environment, it can also be applied in an SD-WAN hub and spoke topology, and it can be used in combination with FlexVPN. IPsec can also be used in conjunction with MPLS in several ways, including the use of VRF-Aware IPsec for MPLS VPNS, as well as the use of MPLS over FlexVPN.

So you see, IPsec is a technology that can be applied to many different communication methodologies to employ encryption and security. The list above is not exhaustive, you can do a further search to find out more.

I hope this has been helpful!

Laz